trevp / tlslite Goto Github PK
View Code? Open in Web Editor NEWTLS Library in python
License: Other
TLS Library in python
License: Other
Since tlslite has quite a few tests now and we want to preserve compatibility with both old and new Pythons, I think it would be good idea to have some Continuous Integration to run the tests against all those versions.
From what I found, travis-ci.org is free, integrates well with github and has support for multiple execution environments, including Python 2.6, 3.2 and later
Running 'make test' after commit 496980f fails with a server-side handshake_failure in unit test 26.b.
This appears to be caused by filtering of the sha256 MACs in HandshakeSettings.validate()
for pre-TLS 1.2 versions, which results in the server lacking any valid ciphersuites (hence no shared ciphersuites with client, hence handshake_failure). I suspect Fault.ignoreVersionForCipher
is supposed to prevent this, but it only inhibits calls to CipherSuite.filterForVersion
which was where filtering occurred previously.
I decided against submitting a pull request because I'm not sure what the preferred solution would be; three that come to mind are either to add fault injection to the HandshakeSettings object, to skip validation altogether if a fault has been injected, or to revert the filtering in validate() since it appears (at first glance) to be redundant.
draft-mavrogiannopoulos-chacha-tls is close to being standardised, it would be good to have an implementation of at least the RSA-based ciphers
Trying to use tlslite.utils.keyfactory.parsePrivateKey
with Python 2.7 when PyCypto is installed raises an unhelpful AssertionError
. It comes from within PyCrypto which expects long
values rather than int
and refuses to take anything else.
I'm going to guess this is due to the Python 3 changes from 0.4.4.
tlslite/tlslite/utils/openssl_rsakey.py
Line 102 in cd82fad
s is not a string, in order to be searched with find() it needs to be converted, e.g.:
ss = str(s,'utf-8')
and then various searches become ss.find, ss.startswith, etc.
Line 106 is potentially problematic even with this fix:
s = s[start:]
since start is effectively a character count.
I installed tlslite on Ubuntu 12.04 with
git pull https://github.com/trevp/tlslite.git
sudo python setup.py install
which passes fine. But when I try to do the inital test like told in the README:
tlslite/tests$ ./tlstest.py server localhost:4443 .
Traceback (most recent call last):
File "./tlstest.py", line 791, in <module>
serverTestCmd(sys.argv[2:])
File "./tlstest.py", line 460, in serverTestCmd
x509Cert = X509().parse(open(os.path.join(dir, "serverX509Cert.pem")).read())
File "/usr/local/lib/python2.7/dist-packages/tlslite/x509.py", line 43, in parse
self.parseBinary(bytes)
File "/usr/local/lib/python2.7/dist-packages/tlslite/x509.py", line 97, in parseBinary
self.publicKey = _createPublicRSAKey(n, e)
File "/usr/local/lib/python2.7/dist-packages/tlslite/utils/keyfactory.py", line 179, in _createPublicRSAKey
return PyCrypto_RSAKey(n, e)
File "/usr/local/lib/python2.7/dist-packages/tlslite/utils/pycrypto_rsakey.py", line 18, in __init__
self.rsa = RSA.construct( (n, e) )
File "/usr/lib/python2.7/dist-packages/Crypto/PublicKey/RSA.py", line 235, in construct
key = self._math.rsa_construct(*tup)
TypeError: must be long, not int
Hi, I'm trying to use the TLSSocketServerMixin and getting this error, after a successful TLS connection:
Traceback (most recent call last):
File "/usr/lib64/python2.7/SocketServer.py", line 582, in process_request_thread
self.finish_request(request, client_address)
File "/usr/lib/python2.7/site-packages/tlslite/integration/tlssocketservermixin.py", line 56, in finish_request
self.RequestHandlerClass(tlsConnection, client_address, self)
File "/usr/lib64/python2.7/SocketServer.py", line 640, in __init__
self.finish()
File "/usr/lib64/python2.7/SocketServer.py", line 694, in finish
self.wfile.close()
File "/usr/lib64/python2.7/socket.py", line 282, in close
self._sock.close()
AttributeError: 'NoneType' object has no attribute 'close'
My code is here: https://github.com/agrover/targetd/blob/master/targetd
I'm still investigating (I need this to work :) but wanted to open the issue in case you had some quick insight into it.
Thanks -- Andy (btw tlslite is packaged in Fedora now)
In compat.py (https://github.com/trevp/tlslite/blob/master/tlslite/utils/compat.py#L49)
base64 is used but not imported. It does not break because the function it implements (b2a_base32) it not used in tlslite.
I suggest adding the import or removing this function.
The README of tlslite states
To save yourself the trouble of inspecting certificates and/or TACKs after the
handshake, you can pass a Checker object into the handshake function. The
checker will be called if the handshake completes successfully. If the other
party isn't approved by the checker, a subclass of TLSAuthenticationError will
be raised.
but actually the checker is no checking of TACKs in any form. Or am I missing something?
I would like to send ClientHellos with tlslite but I get TLSAbruptCloseErrors when trying to get the server's response. Can you please help?
script:
#!/usr/bin/python -tt
# vim: fileencoding=utf8
import socket
import tlslite
class TLSConnectionTester(tlslite.tlsrecordlayer.TLSRecordLayer):
def __init__(self, sock):
tlslite.tlsrecordlayer.TLSRecordLayer.__init__(self, sock)
def test(
self,
cipher=tlslite.constants.CipherSuite.TLS_RSA_WITH_3DES_EDE_CBC_SHA):
session_id = bytearray(0)
version = (3, 2)
client_hello = tlslite.messages.ClientHello()
ciphers = [tlslite.constants.CipherSuite.TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
cipher, 52, 58]
print ciphers
client_hello.create(version,
tlslite.utils.cryptomath.getRandomBytes(32),
session_id,
ciphers,
[tlslite.constants.CertificateType.x509],
None, False, False, "")
self._handshakeStart(client=True)
for result in self._sendMsg(client_hello):
yield result
if result in (0, 1):
print "wait"
else:
break
for result in self._getMsg(
tlslite.constants.ContentType.handshake,
tlslite.constants.HandshakeType.server_hello):
print result
if result in (0, 1):
yield result
else:
break
server_hello = result
yield server_hello
def makesocket():
sock = socket.socket()
sock.connect(("127.0.0.1", 443))
return sock
if __name__ == "__main__":
sock = makesocket()
tlscon = TLSConnectionTester(sock)
for r in tlscon.test():
pass
Exception:
TLSAbruptCloseError Traceback (most recent call last)
/usr/lib/python2.7/site-packages/IPython/utils/py3compat.pyc in execfile(fname, *where)
176 else:
177 filename = fname
--> 178 __builtin__.execfile(filename, *where)
/home/till/tlslite/tlsscan.py in <module>()
56 tlscon = TLSConnectionTester(sock)
57
---> 58 for r in tlscon.test():
59 pass
/home/till/tlslite/tlsscan.py in test(self, cipher)
36 for result in self._getMsg(
37 tlslite.constants.ContentType.handshake,
---> 38 tlslite.constants.HandshakeType.server_hello):
39 print result
40 if result in (0, 1):
/home/till/tlslite/tlslite/tlsrecordlayer.pyc in _getMsg(self, expectedType, secondaryType, constructorType)
666 # - we receive an empty application-data fragment; we try again
667 while 1:
--> 668 for result in self._getNextRecord():
669 if result in (0,1):
670 yield result
/home/till/tlslite/tlslite/tlsrecordlayer.pyc in _getNextRecord(self)
840 #If the connection was abruptly closed, raise an error
841 if len(s)==0:
--> 842 raise TLSAbruptCloseError()
843
844 b += bytearray(s)
TLSAbruptCloseError: TLSAbruptCloseError()
Hi,
TLSlite supports NPN (cool), but the IETF is going to ALPN:
https://www.imperialviolet.org/2013/03/20/alpn.html
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg
Is there any update to support ALPN already in progress?
TLSLite attempts to look for TackBreakSig but the most recent source code or latest release download does not have that module yet. Is this a new module that will be committed soon?
Thanks! Great work!
Since tlslite
supports session resumption and doesn't support ECDHE key exchange, it is vulnerable to the 3shake attack, as such, it should implement the draft-ietf-tls-session-hash-04.
Lack of implicit full certificate verification makes this attack especially easy to perform against tlslite
.
When running tests the following error is raised with Python >= 3.7
tlslite (unittest.loader._FailedTest) ... ERROR
======================================================================
ERROR: tlslite (unittest.loader._FailedTest)
----------------------------------------------------------------------
ImportError: Failed to import test module: tlslite
Traceback (most recent call last):
File "/nix/store/6lm4gi5iv8fbf1b1mm6g3gfnnv63f1gn-python3-3.7.1/lib/python3.7/unittest/loader.py", line 468, in _find_test_path
package = self._get_module_from_name(name)
File "/nix/store/6lm4gi5iv8fbf1b1mm6g3gfnnv63f1gn-python3-3.7.1/lib/python3.7/unittest/loader.py", line 375, in _get_module_from_name
__import__(name)
File "/build/tlslite-0.4.9/tlslite/__init__.py", line 27, in <module>
from tlslite.api import *
File "/build/tlslite-0.4.9/tlslite/api.py", line 11, in <module>
from .tlsconnection import TLSConnection
File "/build/tlslite-0.4.9/tlslite/tlsconnection.py", line 71
async=False):
^
SyntaxError: invalid syntax
----------------------------------------------------------------------
Ran 1 test in 0.000s
See pypa/pipenv#956 for details
https://github.com/doublereedkurt/pyjks
I'm the maintainer of a single-module JKS file reader.
I think utils/jks.py would make sense to have next to utils/pem.py
https://github.com/trevp/tlslite/blob/14f2c60d93b642f080bef664cc718d2ea1291487/tlslite/utils/pem.py
I'd be happy to help integrate the code.
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 308, in handshakeClientCert
for result in handshaker:
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 324, in _handshakeClientAsync
for result in self._handshakeWrapperAsync(handshaker, checker):
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 1777, in _handshakeWrapperAsync
for result in handshaker:
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 472, in _handshakeClientAsyncHelper
serverHello.tackExt):
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 837, in _clientRSAKeyExchange
encryptedPreMasterSecret = publicKey.encrypt(premasterSecret)
File "/usr/local/lib/python2.7/dist-packages/tlslite/utils/rsakey.py", line 151, in encrypt
c = self._rawPublicKeyOp(m)
File "/usr/local/lib/python2.7/dist-packages/tlslite/utils/pycrypto_rsakey.py", line 36, in _rawPublicKeyOp
m = self.rsa.encrypt(c, None)[0]
File "/usr/local/lib/python2.7/dist-packages/Crypto/PublicKey/RSA.py", line 390, in encrypt
raise NotImplementedError("Use module Crypto.Cipher.PKCS1_OAEP instead")
NotImplementedError: Use module Crypto.Cipher.PKCS1_OAEP instead
So we now have pretty decent CI setup (thanks for the quick merges!), we can easily extend it to also include coverity checks.
Question is, how do we do it?
I see two options:
.travis.yml
, similar to the pylint check, where we just get pass/fail based on a threshold valuepython_rsakey.Python_RSAKey.parsePEM()'s docstring:
"""Parse a string containing a <privateKey> or <publicKey>, or
PEM-encoded key."""
It's implementation:
if pemSniff(s, "PRIVATE KEY"):
bytes = dePem(s, "PRIVATE KEY")
return Python_RSAKey._parsePKCS8(bytes)
elif pemSniff(s, "RSA PRIVATE KEY"):
bytes = dePem(s, "RSA PRIVATE KEY")
return Python_RSAKey._parseSSLeay(bytes)
else:
raise SyntaxError("Not a PEM private key file")
Which means that public_key = keyfactory.parseAsPublicKey(rsa_public_key)
will never work.
Support for Twisted via a TLSLite-based implementation of a Twisted endpoint would be great.
About Twisted endpoints:
http://twistedmatrix.com/documents/current/core/howto/endpoints.html
https://speakerdeck.com/ashfall/twisted-logic-endpoints-and-why-you-shouldnt-be-scared-of-twisted
Setup a web server with tlslite and SessionCache enabled
do the following request
$ openssl s_client -reconnect -connect 127.0.0.1:8082 < /dev/null
Wait for the session timeout (default is 4 hours)
Do the above request again.
request should work
The second request returns with an error on SSL level
89484:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:/SourceCache/OpenSSL098/OpenSSL098-52.8.1/src/ssl/s3_pkt.c:564:
explaination and proposed fix is in pull request #67
tlslite/tlslite/utils/cryptomath.py
Line 121 in cd82fad
The "ord()" function here is redundant with Python 3, and will produce an error. It should be removed.
Current code in messages.py:
def write(self):
w = Writer()
if self.cipherSuite in CipherSuite.srpAllSuites:
w.addVarSeq(numberToByteArray(self.srp_N), 1, 2)
w.addVarSeq(numberToByteArray(self.srp_g), 1, 2)
w.addVarSeq(self.srp_s, 1, 1)
w.addVarSeq(numberToByteArray(self.srp_B), 1, 2)
if self.cipherSuite in CipherSuite.srpCertSuites:
w.addVarSeq(self.signature, 1, 2)
elif self.cipherSuite in CipherSuite.anonSuites:
w.addVarSeq(numberToByteArray(self.dh_p), 1, 2)
w.addVarSeq(numberToByteArray(self.dh_g), 1, 2)
w.addVarSeq(numberToByteArray(self.dh_Ys), 1, 2)
if self.cipherSuite in []: # TODO support for signed_params
w.addVarSeq(self.signature, 1, 2)
return self.postWrite(w)
def hash(self, clientRandom, serverRandom):
oldCipherSuite = self.cipherSuite
self.cipherSuite = None
try:
bytes = clientRandom + serverRandom + self.write()[4:]
return MD5(bytes) + SHA1(bytes)
finally:
self.cipherSuite = oldCipherSuite
will cause the hash to not include the set SRP parameters (note the self.cipherSuite = None
line), also, the signature algorithm is incorrect for TLSv1.2 protocol
We have Linux CI testing but now Windows, would be nice if someone wants to figure that out.
The HTTPTLSConnection class does not send SNI information.
It can be tested by connecting to an SNI-only site and looking at the certificate:
>>> from tlslite.api import HTTPTLSConnection
>>> c = HTTPTLSConnection("biewald.dedyn.io", 443)
>>> c.request("GET", "")
>>> print(c.tlsSession.serverCertChain.x509List[0].bytes)
bytearray(b"0\x82\...\x82\x0evarbin.noip.me0Q...\xc3\xdf")
My python version is 3.5.0 and my tlslite version is 0.4.9 from PyPi.
hi tls-dev:
i successfully install the tls, and run the test-suite like this:
./tlstest.py server localhost:4443 .
and open another shell, type
./tlstest.py client localhost:4443 .
then i get an error log like this. could you please help me to solve this problem.
Traceback (most recent call last):
File "./tlstest.py", line 981, in
clientTestCmd(sys.argv[2:])
File "./tlstest.py", line 478, in clientTestCmd
connection.handshakeClientCert()
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 308, in handshakeClientCert
for result in handshaker:
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 324, in _handshakeClientAsync
for result in self._handshakeWrapperAsync(handshaker, checker):
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 1777, in _handshakeWrapperAsync
for result in handshaker:
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 418, in _handshakeClientAsyncHelper
for result in self._clientGetServerHello(settings, clientHello):
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsconnection.py", line 559, in _clientGetServerHello
HandshakeType.server_hello):
File "/usr/local/lib/python2.7/dist-packages/tlslite/tlsrecordlayer.py", line 722, in _getMsg
raise TLSRemoteAlert(alert)
tlslite.errors.TLSRemoteAlert: handshake_failure
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.